Two-factor authentication finally heading to Microsoft Accounts

Redmond catching up with Google, Facebook, Apple.

Microsoft Accounts—the credentials used for Hotmail, Outlook.com, the Windows Store, and other Microsoft services—will soon offer two-factor authentication to ensure that accounts can't be compromised through disclosure of the password alone.

Revealed by LiveSide, the two factor authentication will use a phone app—which is already available for Windows Phone, even though the two-factor authentication isn't switched on yet—to generate a random code. This code must be entered alongside the password.

For systems that are used regularly, it's possible to disable the code requirement and allow logging in with the password alone. For systems that only accept passwords, such as e-mail clients, it appears that Microsoft will allow the creation of one-off application-specific passwords.

When this feature is finally enabled, it will bring Microsoft Accounts in line with comparable facilities already available for Google, Facebook, PayPal, and most recently, Apple accounts.

Curiously, this is the second two-factor scheme for Microsoft Accounts. Certain sensitive operations, such as trusting a new PC to enable it to sync passwords, can already work with two-factor authentication, using a random code sent by text message rather than an app. Why this scheme was not simply extended to cover logging in is presently unclear.

Good to hear Microsoft is finally getting their shit together WRT Microsoft Accounts. I've been waiting since ... forever... for their "rename account" feature to get fixed. I was following a topic on their support forums from December, when they disabled the feature for everyone, while they "looked into the problem." Finally, a few days ago, they updated the topic to say that the feature had finally been fixed.

Why this scheme was not simply extended to cover logging in is presently unclear.

Probably because Microsoft is a case study in divisional territorialism.

This would be a more devastating retort if GOOGLE did not also NOT offer two-factor authentication for "Google Domains" or whatever the hell they currently call the scheme whereby they provide GMail for a non @gmail.com domain ...

Looks like this is going to be using TOTP too, which means I get to drop it into my Google Authenticator alongside Dropbox and Google Accounts. I wish they all used TOTP (looking at you Paypal and BofA).

Why this scheme was not simply extended to cover logging in is presently unclear.

Probably because Microsoft is a case study in divisional territorialism.

This would be a more devastating retort if GOOGLE did not also NOT offer two-factor authentication for "Google Domains" or whatever the hell they currently call the scheme whereby they provide GMail for a non @gmail.com domain ...

Which is funny, because Microsoft can for its federated business services. I have spent the last couple months learning way too much about their federation and single sign-on apps.

This would be a more devastating retort if GOOGLE did not also NOT offer two-factor authentication for "Google Domains" or whatever the hell they currently call the scheme whereby they provide GMail for a non @gmail.com domain ...

I don't see what's so great about 2-factor authentication that uses SMS or a phone app. If it's something you log into often - say, your tablet that uses Microsoft Account authentication - every time the lock screen kicks in, you're going to have to request a one-time password. Having to request an OTP and wait for SMS every time I unlock the PC is a non-starter in my opinion.

You have no idea how this works do you?

Short version: What you just said will NOT happen. Your PC is "trusted" because you made it so. This is for websites on unfamiliar devices.

And I can confirm the Microsoft app works with Facebook's "login approvals" and Amazon Web Services' solution. Just like the other Authenticator apps on Windows Phone Store...

This one is the only one that allows you to rename accounts after creating them though, I think.

Entegy wrote:

DNick wrote:

Short version: What you just said will NOT happen. Your PC is "trusted" because you made it so. This is for websites on unfamiliar devices.

And even on unfamiliar devices you don't have to wait for the code because it is generated on your phone. Sending the code via SMS is only a backup option (I presume, because that is how it works with Dropbox and Gmail).

Looks like this is going to be using TOTP too, which means I get to drop it into my Google Authenticator alongside Dropbox and Google Accounts. I wish they all used TOTP (looking at you Paypal and BofA).

I had no idea you could add other accounts to the Google Authenticator app - thanks for pointing this out!

I don't see what's so great about 2-factor authentication that uses SMS or a phone app. If it's something you log into often - say, your tablet that uses Microsoft Account authentication - every time the lock screen kicks in, you're going to have to request a one-time password. Having to request an OTP and wait for SMS every time I unlock the PC is a non-starter in my opinion.

You have no idea how this works do you?

Short version: What you just said will NOT happen. Your PC is "trusted" because you made it so. This is for websites on unfamiliar devices.

OK but I'm not sure I agree with this. Mobile devices walk off all the time, so don't I need the protection at least as much on that tablet as I do anywhere else? Because if you steal the tablet and get access, now you're into my outlook.com mail, SkyDrive, Skype, Xbox - all my Microsoft services at once.

I'd agree if we were talking about a desktop in the safety of my home. I'm a lot more worried about the devices that are likely to disappear in an airport.

I don't see what's so great about 2-factor authentication that uses SMS or a phone app. If it's something you log into often - say, your tablet that uses Microsoft Account authentication - every time the lock screen kicks in, you're going to have to request a one-time password. Having to request an OTP and wait for SMS every time I unlock the PC is a non-starter in my opinion.

You have no idea how this works do you?

Short version: What you just said will NOT happen. Your PC is "trusted" because you made it so. This is for websites on unfamiliar devices.

OK but I'm not sure I agree with this. Mobile devices walk off all the time, so don't I need the protection at least as much on that tablet as I do anywhere else? Because if you steal the tablet and get access, now you're into my outlook.com mail, SkyDrive, Skype, Xbox - all my Microsoft services at once.

I'd agree if we were talking about a desktop in the safety of my home. I'm a lot more worried about the devices that are likely to disappear in an airport.

think there is some confusion, here is a security example as happens with my bank account.

lets say a person in Russia tires to sign in to your account. it will recognize its not your usual computer and send a text to your phone to confirm the login attempt.

that person would then have to enter that text to actually gain access to your account. even if they have your password.

I don't see what's so great about 2-factor authentication that uses SMS or a phone app. If it's something you log into often - say, your tablet that uses Microsoft Account authentication - every time the lock screen kicks in, you're going to have to request a one-time password. Having to request an OTP and wait for SMS every time I unlock the PC is a non-starter in my opinion.

You have no idea how this works do you?

Short version: What you just said will NOT happen. Your PC is "trusted" because you made it so. This is for websites on unfamiliar devices.

OK but I'm not sure I agree with this. Mobile devices walk off all the time, so don't I need the protection at least as much on that tablet as I do anywhere else? Because if you steal the tablet and get access, now you're into my outlook.com mail, SkyDrive, Skype, Xbox - all my Microsoft services at once.

I'd agree if we were talking about a desktop in the safety of my home. I'm a lot more worried about the devices that are likely to disappear in an airport.

think there is some confusion, here is a security example as happens with my bank account.

lets say a person in Russia tires to sign in to your account. it will recognize its not your usual computer and send a text to your phone to confirm the login attempt.

that person would then have to enter that text to actually gain access to your account. even if they have your password.

OK gotcha. That doesn't interest me because I'm pretty much never logging in to the Microsoft Account from anywhere that's not a trusted PC. What I want is conventional 2-factor authenication - something like RSA that prevents access to someone who gets the password but not the second authenticator.

I don't see what's so great about 2-factor authentication that uses SMS or a phone app. If it's something you log into often - say, your tablet that uses Microsoft Account authentication - every time the lock screen kicks in, you're going to have to request a one-time password. Having to request an OTP and wait for SMS every time I unlock the PC is a non-starter in my opinion.

You have no idea how this works do you?

Short version: What you just said will NOT happen. Your PC is "trusted" because you made it so. This is for websites on unfamiliar devices.

OK but I'm not sure I agree with this. Mobile devices walk off all the time, so don't I need the protection at least as much on that tablet as I do anywhere else? Because if you steal the tablet and get access, now you're into my outlook.com mail, SkyDrive, Skype, Xbox - all my Microsoft services at once.

I'd agree if we were talking about a desktop in the safety of my home. I'm a lot more worried about the devices that are likely to disappear in an airport.

If this works the way Google's single-purpose passwords do, you can (and should) revoke the device's access as soon as you notice it's been stolen. That limits the window in which the thief can do damage.

This is something I've followed for a while - most likely there's no Active Directory implementation.Securing web sites this way is great, but I'd like to use the authenticator app as a requirement for anyone in the admin group in my domain. I'm not a coder - so the source page for that project may have just what I'm looking for but I don't see it. The closest I've seen is a freeradius server, runs Linux - adds Google Authenticator - and you point your active directory server to that freeradius server.Is that right? Is there a simpler way to get google authenticator in Active Directory?

This would be a more devastating retort if GOOGLE did not also NOT offer two-factor authentication for "Google Domains" or whatever the hell they currently call the scheme whereby they provide GMail for a non @gmail.com domain ...

Ahh. So in classic Google UI incoherence, the way to set this up is COMPLETELY different from the UI that is provided for @gmail.com users; and the web page that one goes to following the standard google directions provides zero information about this alternative route.

Thanks for the info, Barry, but, damn Google, can you really not just get your act together regarding a single UI, with accurate documentation, across your myriad properties?

think there is some confusion, here is a security example as happens with my bank account.

lets say a person in Russia tires to sign in to your account. it will recognize its not your usual computer and send a text to your phone to confirm the login attempt.

that person would then have to enter that text to actually gain access to your account. even if they have your password.

What do you do if you're traveling in Russia and need to log into your bank account?

In theory, Google allows either to - pre-print some one-time codes for this purpose OR- run an app on your phone (Android, iOS, Blackberry) which generates these codes (and does not need a network connection)I'v never used either of these two paths, so I can't comment on how well they work.

This would be a more devastating retort if GOOGLE did not also NOT offer two-factor authentication for "Google Domains" or whatever the hell they currently call the scheme whereby they provide GMail for a non @gmail.com domain ...

Ahh. So in classic Google UI incoherence, the way to set this up is COMPLETELY different from the UI that is provided for @gmail.com users; and the web page that one goes to following the standard google directions provides zero information about this alternative route.

Thanks for the info, Barry, but, damn Google, can you really not just get your act together regarding a single UI, with accurate documentation, across your myriad properties?

You complain about a problem that doesn't even exist, someone points this out, and you proceed to complain more. What are you doing man?

I think this two-factor authentication may be giving users a bit of false security. There are 3 different ways some anonymous scammer can get your password:

1. Game the password reset function (which may or may not use the two-factor-auth).

2. crack your PW hash from another site and see if you use that password everywhere (two-factor-auth would help here)

3. manage to get a hold of MS or Google's password hashes and crack your pw from there (in this case they would also be able to get your two-factor-auth key as well, and once MS or Google found out, your password would be reset anyway, and so would your two-factor-auth token)

So, really, if you just chose strong passwords to begin with and used a different PW everywhere, then you can save yourself all the trouble of two-factor-auth.

This would be a more devastating retort if GOOGLE did not also NOT offer two-factor authentication for "Google Domains" or whatever the hell they currently call the scheme whereby they provide GMail for a non @gmail.com domain ...

Ahh. So in classic Google UI incoherence, the way to set this up is COMPLETELY different from the UI that is provided for @gmail.com users; and the web page that one goes to following the standard google directions provides zero information about this alternative route.

Thanks for the info, Barry, but, damn Google, can you really not just get your act together regarding a single UI, with accurate documentation, across your myriad properties?

You complain about a problem that doesn't even exist, someone points this out, and you proceed to complain more. What are you doing man?

Do you understand the issue I am complaining about? Or do you just feel a reflexive need to defend Google no matter what?

If I go to the Google account settings for someone with a regular Gmail account, the page offers the ability to set up two-step verification.

If I go to the EXACT SAME PAGE for someone with a domains Google account, the page does not offer the ability to set up two-step verification. That is ALL. It does not say that two-step verification exists and I should look into it. It does not say that the owner of the Google domain needs to switch on the ability to use two-step verification. It is utterly silent. This is BAD UI.

Pretending that Google does not suck when it clearly does is not doing you or your favorite company any favors. You come across as as deluded and foolish as the idiots defending Apple in the days of OS9 with stupid statements about how no-one really needed memory protection or pre-emptive multi-tasking.Google's handling of user login has been a disaster since day one, with a never-ending set of problems regarding incompatible IDs across properties, domain IDs behaving differently from GMail IDs, and documentation being out of date and inconsistent in explaining the full picture. This is simply the latest in this sad saga.

Why use an authenticator and not SMS? Because SMS is bloody expensive. You can expend 5c per SMS for password resets OK, but for every single Hotmail/etc login, that's a lot of money that they'd choose to avoid spending if they can.

I think this two-factor authentication may be giving users a bit of false security. There are 3 different ways some anonymous scammer can get your password:

1. Game the password reset function (which may or may not use the two-factor-auth).

2. crack your PW hash from another site and see if you use that password everywhere (two-factor-auth would help here)

3. manage to get a hold of MS or Google's password hashes and crack your pw from there (in this case they would also be able to get your two-factor-auth key as well, and once MS or Google found out, your password would be reset anyway, and so would your two-factor-auth token)

So, really, if you just chose strong passwords to begin with and used a different PW everywhere, then you can save yourself all the trouble of two-factor-auth.

Replies to your specific points:

1- The password reset function should send a code to your phone that has to be entered to reset your password. If it doesn't, it isn't really 2 factor, is it? So 2 factor prevents this case.

2. As you noted, 2 factor prevents this case.

3. No, the point is when a login is attempted from a new device, a RANDOM code is generated at that time and sent to you- it isn't like RSA where you have a specific predicted 2 auth code at any specific time. Now, if the attacker had continuous access the the db storing the randomly generated codes, you are compromised, but that is a much more serious breach than somebody getting a oneoff password hash table.

Then you look at your phone and enter the code that was texted to you into the login page.

Seriously, don't you guys banks/credit cards already do this? Mine has been this way for the last 3 years.

I asked the question with the assumption that my phone wouldn't work in Russia. At least not with the phone number I use here, which would be the one used by two-factor authentication.

Why would your phone not work in Russia ? Or any other country ?

When you go overseas, your phone switches to Roaming mode - text messages still arrive to your normal mobile number. The networks are smart enough to know you are in Russia, and divert everything there - it's seamless.

Good to hear Microsoft is finally getting their shit together WRT Microsoft Accounts. I've been waiting since ... forever... for their "rename account" feature to get fixed. I was following a topic on their support forums from December, when they disabled the feature for everyone, while they "looked into the problem." Finally, a few days ago, they updated the topic to say that the feature had finally been fixed.

I was finally able to rename my account to my primary email address.

I've always been hesitant to make this change - there's a lot of stuff linked to that particular account. Does everything just work fine now you've made the change ? Xbox Live ? Skype ? I assume all your contacts in each service don't have to re-add you ?

This is something I've followed for a while - most likely there's no Active Directory implementation.Securing web sites this way is great, but I'd like to use the authenticator app as a requirement for anyone in the admin group in my domain. I'm not a coder - so the source page for that project may have just what I'm looking for but I don't see it. The closest I've seen is a freeradius server, runs Linux - adds Google Authenticator - and you point your active directory server to that freeradius server.Is that right? Is there a simpler way to get google authenticator in Active Directory?

Check with Scorpion Software. They offer a number of 2FA and password management apps to businesses of all sizes. I use their AuthAnvil product for securing remote access to our office network.

1- The password reset function should send a code to your phone that has to be entered to reset your password. If it doesn't, it isn't really 2 factor, is it? So 2 factor prevents this case.

2. As you noted, 2 factor prevents this case.

3. No, the point is when a login is attempted from a new device, a RANDOM code is generated at that time and sent to you- it isn't like RSA where you have a specific predicted 2 auth code at any specific time. Now, if the attacker had continuous access the the db storing the randomly generated codes, you are compromised, but that is a much more serious breach than somebody getting a oneoff password hash table.

1. the PW reset function needs to work even in the event you lose your phone. It's not acceptable to lose your phone, you lose your account. You may not want to have to wait for a new phone before getting back into your account. Or you may not be able to get a new phone for whatever reason.

2. can be prevented by using different password eveywhere, thereby bypassing the hassle of 2-factor.

3. the attacker is stealing the random seed that is used to generate the random password. If there is an app that can generate your 2-factor token, then the algorithm is known, and the attacker only needs to get the random seed.

1- The password reset function should send a code to your phone that has to be entered to reset your password. If it doesn't, it isn't really 2 factor, is it? So 2 factor prevents this case.

2. As you noted, 2 factor prevents this case.

3. No, the point is when a login is attempted from a new device, a RANDOM code is generated at that time and sent to you- it isn't like RSA where you have a specific predicted 2 auth code at any specific time. Now, if the attacker had continuous access the the db storing the randomly generated codes, you are compromised, but that is a much more serious breach than somebody getting a oneoff password hash table.

1. the PW reset function needs to work even in the event you lose your phone. It's not acceptable to lose your phone, you lose your account. You may not want to have to wait for a new phone before getting back into your account. Or you may not be able to get a new phone for whatever reason.

2. can be prevented by using different password eveywhere, thereby bypassing the hassle of 2-factor.

3. the attacker is stealing the random seed that is used to generate the random password. If there is an app that can generate your 2-factor token, then the algorithm is known, and the attacker only needs to get the random seed.

Point 1- 2 factor doesn't specifically have to be a phone; it can be a secondary email account, or a call on a landline, or all of the above. The scenario you are talking about is:

1. Somebody forgets their password and needs to reset it.2. This same person also lost their phone IN ADDITION to forgetting their password.

This is a pretty big corner case, but most of the password recovery systems I've seen (Chase bank, for example) give you the option to send your recovery code to your phone (SMS), to your phone (Voice Call), or to your secondary email

Point 2. You are correct- if you use a different password everywhere, you aren't vulnerable to cross site password breach.

Point 3. The random seed isn't stored in the same table or even database as usernames/passwords. Generally (and this varies), there is some sort of algo that will generate a code based on the time of the of the new device login attempt, hashed with the random seed AND some sort of account data, like your username, birthdate, etc. In other words, for this sort of breach, you need the source code for how the codes are generated, as well as the user/pass hash table, PLUS the exact time (according to the server) a login attempt from the new unauthorized device was attempted.

It would be a lot more simple to attempt and impersonate a previously authenticated device.

"thereby bypassing the hassle of 2-factor."

Nobody is saying YOU HAVE to use 2 factor- its available for use to those who want the additional security.

Point 1- 2 factor doesn't specifically have to be a phone; it can be a secondary email account, or a call on a landline, or all of the above. The scenario you are talking about is:

1. Somebody forgets their password and needs to reset it.2. This same person also lost their phone IN ADDITION to forgetting their password.

This is a pretty big corner case, but most of the password recovery systems I've seen (Chase bank, for example) give you the option to send your recovery code to your phone (SMS), to your phone (Voice Call), or to your secondary email

Point 2. You are correct- if you use a different password everywhere, you aren't vulnerable to cross site password breach.

Point 3. The random seed isn't stored in the same table or even database as usernames/passwords. Generally (and this varies), there is some sort of algo that will generate a code based on the time of the of the new device login attempt, hashed with the random seed AND some sort of account data, like your username, birthdate, etc. In other words, for this sort of breach, you need the source code for how the codes are generated, as well as the user/pass hash table, PLUS the exact time (according to the server) a login attempt from the new unauthorized device was attempted.

It would be a lot more simple to attempt and impersonate a previously authenticated device.

"thereby bypassing the hassle of 2-factor."

Nobody is saying YOU HAVE to use 2 factor- its available for use to those who want the additional security.

I was never arguing that it was mandatory, just that it gives a false sense of security. Boil it down, and it's basically just another password, still vulnerable to the same attacks that have been reported here on ars, but more hassle for the user.

Say Mr. Attacker cracked bob1001's ars fourm account and got bob1001's password, which he so happend to also use for his gmail account and yahoo account. bob1001 thinks he is safe becuase he turned on 2-factor with google. Mr Attacker laughs his way into bob1001's gmail account by intercepting the token in bob1001's yahoo account.

Plausible that people will not feel compelled to use different passwords if they think 2-factor will automatically save them. If they used different passwords, they wont need the 2-factor.

If the attacker can steal google's password hashes, then the attacker can steal the 2-factor random seed data, you can't rule it out that it's not compromised.